03/07/2013

Using Certificate Authentication for Cross Domain Communication

In this post i try to present the basic idea and implementation of using certificates for communication between different parties in realtime scenario. Dont worry about the screenshots of config files, you can download the sample and get all the settings you required for copy.

There are many scenarios which demand certificates authentication mechanism. Common examples are
#1. Banking web application which do their transactions using FBA and Certificate authentication
#2. Server to Server calls.
#3. Service to Service calls
#4. Application to service calls.
and so on covering most of the high security requirments.

But everything boils down to "A cross domain communication or we can say Domain independent communication".

Creating a Certificate:
Actually the certificate should be autherized and approved by Certificate authorities like CA. But i cannot afford a certificate just for this post or sample. SO i created my own certificate autority on my Server 2008 machine.

Once the Certificate authority was created, and you choos to install "Online Responder" component while install, a web application will be provisioned in IIS to deal with online certificate requests.
Typical url for that application will be http://servername/CertSrv

Now its time to request a certificate for our purposes. You have to be cautious about the Type of certificate requesting.

If you are acting as a source, do request Server Authentication Certificate in type dropdown. Else request a Cleint Authentication Certificate.

Now the certificate server adminstrator can approve the request and we can download the certificate and install in our server.

Configuring the Certificate:
Created a simple WCF service.

Created a Website on IIS to host my WCF service. Try keeping the name of website same as name of certificate. Else we may get certificate error while browsing in our own machine.

Go to Edit bindings and assign the port number and the server certificate we intent to use for WCF service.

Enable Only Anonymous authentication for this service.

Go to SSL settings of the website and select "Require SSL" and select "Accept" as Client certificate.

Go to Advanced properties of the site and enable both http and https protocols. Its your choice to have both http and https if required.

Last step is to configure the certificate details in Service config.

Lets discuss the highlighted parts one by one.
#1. Service metadata should be exposed via Https so you have to mention httpsGetEnabled=true.
#2. The Certificate details has to be mentioned in behavior configuration in order to bind it with the service. Look at behavior configuration of service tag.
#3. The Service certificate findValue is the serial key of the certificate. How to find it? Go go to IIS àClick on server name àin right pane, click on server certificates àdouble click on certificate and follow the image.

#4. Security mode should be "TransportWithMessageCredential", and the clientCredentialType of both transport and Message configured to Certificate.
#4. The Mex endpoint should be eposing the metadata over Https, so the binding should be "mexHttpsBinding" instead of mexHttpBinding.

Now i tried security mode as "Transport", and had an issue with conflict between ssl settings of service and IIS saying.The SSL settings for the service 'SslRequireCert' does not match those of the
IIS 'Ssl, SslNegotiateCert'.
so, better go with #4 setting mentioned above.

Now, we are done with all settings and service is hosted using certificate authentication and can be accessible across any domain in presence of required certficates.

I have a simple method called echo which will return the success status with time stamp.

Ok, i said the service is served on certificate authentication and can be accessible via any domain in presence of required certificates, how to test that.

yes, Test-Hareness. I have created a simple windows application, which consumes the service from other domain.
But in order to do that install the certificate in the second machine.

Now created the windows application and referred the service. This will create a client web.config file with binding and client endpoint information.
And the config looks like this.

Fantastic, now execute the client application and you end up with error messageThe client certificate is not provided. Specify a client certificate in ClientCredentials.
This means, the certificate details are missing in client config.
Added the below highlighted part in client config and the client cofig looks like this now.

Before you execute, please give a thought about the service Url. It is https://TestCertFor Service:7777/Service1.svc. Now your system donot know where si this TestCertForService. To make it aware of the server, you need to make a host entry in client machine with IP of the Server where our service is hosted.
go to c:\windows\system32\driver\etc\, open host file and add the details as below.

Now , here comes the test hareness execution.

We successfully made the cross domain call over a secure channel !

Before we close the post, how this certs were able to authorized the call. Tried my best to explain in the below image.

Code Smaple: Serach for TestCertSvc.Zip in here. It has both Service and Client.

Hi, Thanks for your marvelous posting! I quite enjoyed reading it, you are a great author.I will be sure to bookmark your blog and definitely will come back from now on. I want to encourage that you continue your great job, have a nice day.Authentication Certificate